Cryptographic Commands

6 Cryptographic Commands

You can use the cryptographic commands to encrypt and decrypt the provided data using the Oracle Key Vault managed security objects.

okv crypto data decrypt Command
The okv crypto data decrypt command performs a decrypt operation on the given ciphertext data using the Oracle Key Vault managed security object that is within the Oracle Key Vault server, and returns the decrypted data.
okv crypto data encrypt Command
The okv crypto data encrypt command performs an encrypt operation on the given plaintext data using the Oracle Key Vault managed security object that is within the Oracle Key Vault server, and returns the encrypted data.

6.1 okv crypto data decrypt Command

The okv crypto data decrypt command performs a decrypt operation on the given ciphertext data using the Oracle Key Vault managed security object that is within the Oracle Key Vault server, and returns the decrypted data.

Required Authorization

The endpoint must have read permission on the key used for the decryption.

Syntax

okv crypto data decrypt --uuid UUID --data file_path 
--block-cipher-mode block_cipher_mode --padding padding --iv file_path 
--authenticated-encryption-additional-data file_path 
--authenticated-encryption-tag file_path --data-format data_format 
--decrypted-data output_file_path

JSON Input File Template

{
  "service": {
    "category": "crypto",
    "resource": "data",
    "action": "decrypt",
    "options": {
      "uuid": "#VALUE",
      "data" : "#VALUE",
      "blockCipherMode" : "#CBC|ECB|CFB|OFB|GCM",
      "padding" : "#NONE|ZEROS|PKCS5",
      "iv" : "#VALUE",
      "authenticatedEncryptionAdditionalData" : "#VALUE",
      "authenticatedEncryptionTag" : "#VALUE"
      "dataFormat": "#HEX|BASE64",
      "decryptedData": "#VALUE"
    }
  }
}

Parameters

Parameter/Template Parameter	Required?	Description
`--uuid` / `uuid`	Required	Universally unique ID (UUID) of the key to use for the decryption. To find the unique identifier for the object, in the Oracle Key Vault management console, click the Keys & Wallets tab, and then click Keys & Secrets in the left navigation window. In the Keys & Secrets table, check the Unique Identifier column.
`--data` / `data`	Required	File path to the ciphertext data that needs to be decrypted
`--block-cipher-mode` / `blockCipherMode`	Optional	Block Cipher Mode. Values are as follows: `CBC` for cipher block chaining `CFB` for cipher feedback `ECB` for electronic codebook `GCM` for Galois/counter `OFB` for output feedback If you omit this setting, then Oracle Key Vault uses the cryptographic parameters that are associated with the key.
`--padding` / `padding`	Optional	Padding. Values are as follows: `NONE` `ZEROS` `PKCS5` If you omit this setting, then Oracle Key Vault uses the cryptographic parameters that are associated with the key.
`--iv` / `iv`	Optional	File path of the initialization vector (IV) to use for the decrypt operation. You must use the same initialization vector that was used during encryption.
`--authenticated-encryption-additional-data` / `authenticatedEncryptionAdditionalData`	Optional	File path of authenticated encryption additional data to use for the decrypt operation. You must specify the same authenticated encryption additional data that was used during encryption.
`--authenticated-encryption-tag` / `authenticatedEncryptionTag`	Optional	File path of the authenticated encryption tag to use for the decrypt operation. You must specify the same authenticated encryption tag that was generated during encryption.
`--data-format` / `dataFormat`	Optional	Data format. Format of the data in input and output files. If not specified, data is read and written as binary data. Values are as follows: `HEX` `BASE64`
`--decrypted-data` / `decryptedData`	Required	File path where the decrypted data is written. If the provided output file does not exist, then an error results. If the file is present, then it is overwritten with the decrypted data.

JSON Example

Generate JSON input for the okv crypto data decrypt command.

okv crypto data decrypt --generate-json-input

The generated input appears as follows:

{
  "service": {
    "category": "crypto",
    "resource": "data",
    "action": "decrypt",
    "options": {
      "uuid": "#VALUE",
      "data" : "#VALUE",
      "blockCipherMode" : "#CBC|ECB|CFB|OFB|GCM",
      "padding" : "#NONE|ZEROS|PKCS5",
      "iv" : "#VALUE",
      "authenticatedEncryptionAdditionalData" : "#VALUE",
      "authenticatedEncryptionTag" : "#VALUE"
      "dataFormat": "#HEX|BASE64",
      "decryptedData": "#VALUE"
    }
  }
}

Save the generated input to a file (for example, key_decrypt.json) and then edit it to include the decryption settings that you want. For example:

{ 
  "service": {
    "category": "crypto",
    "resource": "data",
    "action": "decrypt",
    "options": {
      "uuid": "2359E04F-DA61-4F7C-BF9F-913D3369A93A",
      "data" : "/okv/opt/data",
      "blockCipherMode" : "GCM",
      "padding" : "ZEROS",
      "iv" : "/okv/opt/iv",
      "authenticatedEncryptionAdditionalData" : "/okv/opt/keys/authenticatedEncryptionAdditionalData",
      "authenticatedEncryptionTag" : "/okv/opt/keys/authenticatedEncryptionTag",
      "dataFormat": "HEX",
      "decryptedData": "/okv/opt/keys/decrypted_data"
    }
  }
}

Run the okv crypto data decrypt command using the generated JSON file.

okv crypto data decrypt --from-json key_decrypt.json

Output similar to the following appears:

{
  "result" : "Success",
  "value" : {
    "decryptedData" : "/okv/opt/keys/decrypted_data"
  }
}

Parent topic: Cryptographic Commands

6.2 okv crypto data encrypt Command

The okv crypto data encrypt command performs an encrypt operation on the given plaintext data using the Oracle Key Vault managed security object that is within the Oracle Key Vault server, and returns the encrypted data.

Required Authorization

The endpoint must have read permission on the key used for the encryption.